Cameyo Blog

  

Why Security Must Be Designed Into the Core of Your Digital Workspace

October 22, 2020
By Brandon Lee

There are several key concepts that are important for organizations to think through when transitioning to a digital workspace for enabling remote work. But regardless of what industry you're in, one of the most important elements to pay attention to when you're evaluating a digital workspace solution is security.  As hackers increasingly target remote workers as an entry point into corporate networks, making sure security is built in at the foundation of your digital workspace is critical.Security at the Core Blog Post

Cameyo has distinguished itself as a powerful remote work and digital workspace solution that is serious about security, built from the ground up with a Zero Trust security model that helps reduce your organization's overall attack surface. Let’s take a closer look at the foundational security capabilities built into the Cameyo solution and see how these bolster the overall security posture of your organization’s digital workspace.

Key security features found in Cameyo

When evaluating a digital workspace solution, it's important to determine whether the vendor views security features/capabilities as "optional add-ons", or whether security comes baked into the core. With Cameyo, all security capabilities are built into the foundation of the platform and are included for all customers at no additional cost. Let’s take a look at four key security capabilities designed into the Cameyo platform:

  • Cameyo NoVPN
  • Cameyo Port Shield
  • Cameyo Layered Revert
  • Cameyo Session Sync 

Cameyo NoVPN

The Cameyo solution effectively provides a secure digital workspace environment without the need for VPN.  Organizations have traditionally used VPN technology for decades to allow remote workers to connect to corporate resources that are located in the on-premises corporate data center.  However, VPN has become a legacy technology that is less than desirable and even opens your organization up to security risks.  

There are many challenges and concerns to consider with traditional VPN connections.  VPNs do not scale very well across a large client base and performance can quickly become an issue with many users aggregated to a VPN concentrator.  There are also management challenges to overcome with VPN such as client VPN software that must be installed, provisioned, configured and managed throughout the lifecycle of the solution.   Aside from the management and performance challenges with VPN, there are security risks involved as well.  

When remote clients are connected via a VPN tunnel, the remote client device essentially becomes part of the corporate network, much the same way as if you simply plugged a network cable into a network switch in the corporate office.  With this behavior as part of VPN solutions, any unwanted or potentially malicious software loaded on the remote client is brought into the corporate network by way of the VPN connection.  This means there is the potential for extremely dangerous malicious code such as ransomware to have unfettered access to the corporate network by means of the VPN connection.  

In addition to the risk of malicious software by way of VPN connectivity, VPN provides the possibility for easy data exfiltration from the corporate network.  When a remote user is connected via VPN, data can easily be copied from corporate network resources to the remote end user client or even a personal cloud environment.  

With Cameyo's NoVPN functionality there is no requirement for VPN connectivity for remote workers to access business-critical applications.  This provides many benefits, including: 

  • The client stays outside the corporate network with no direct connection
  • Connectivity to applications is made possible through a secure browser connection
  • SSL encryption protects communication between client and application
  • There are very simple requirements including a browser, and HTTPS egress traffic only
  • Unlike VPN, there is no end user client software that is required besides a browser

Port Shield 

Cameyo takes security several steps further by protecting the ports that are needed for various operations with a technology called Port Shield.  Unlike other remote work or digital workspace solutions, Cameyo requires very few ports to interact with the solution.  These include ports for RDP and web connectivity.  

  • RDP port 3389 – Used for administrative tasks and installing applications on the Cameyo server
  • HTTPS 443 (this is configurable) – Used for end-user connectivity to published applications

Cameyo Port Shield automatically closes external access to the specified ports unless needed.  When an end user or administrator connects to the Cameyo portal and is authenticated, Port Shield then dynamically orchestrates firewall rules on the Cameyo server to allow the specific IP address for an end user or administrator who has been granted access.  Once the end user or administrator logs out, the firewall exception, even for the once authenticated session IP, is removed.

With this approach, no ports are allowed to stay open for any period of time.  This results in a solution that, by default, is hardened from brute force attacks or zero-day vulnerabilities that an attacker may attempt to capitalize on with systems that are exposed to the outside world using a persistent open port or range of ports. 

 

Port Shield settings defined in the properties of your Cameyo server

Layered Revert

For organizations who have supported Terminal Servers and the newer Remote Desktop Services servers, the server essentially becomes a “glorified workstation” for your end users who use it to login and launch applications.  With this approach IT has to manage not only the applications, but also the user profile and session data, which can be problematic for IT support.  It can also introduce the possibility for security issues since the user profile data generally persists after logoff and can often be a hiding place for unwanted or outright malicious software.  

To solve for this, Cameyo developed its Layered Revert technology. With Layered Revert, Cameyo employs a volatile layer on which users work that is not attached to any specific user profile.  Session data is redirected to on-premises or cloud storage through a patent-pending I/O virtualization technology.  While the volatile layer with other changes are discarded, application data does persist.  When a new session is started, an empty layer is provided for the user session to take place. 

How the Layered Revert process works is very similar in concept to reverting a VM back to a particular snapshot point in time.  The changes that have happened since the snapshot was taken are discarded.  On the session's end, the volatile layer employed by Cameyo is discarded while the important application data persists.  The entire workflow and underlying process is transparent to the end user working with published applications.     

 

Cameyo Layered Revert ensures pristine and isolated sessions with each new connection

Session Sync

Rounding out the Cameyo solution to provide a secure digital workspace to end users is a technology called Session Sync.  Cameyo’s Session Sync technology allows end users to have access to specific configuration settings and user files that will follow them between settings.  Session Sync works in harmony with Layered Revert to ensure user data is persistent, while ensuring the session layer is pristine and secure upon each new connection.  With Cameyo’s Session Sync, user files and data are synced to Google Cloud Storage or Microsoft OneDrive.  This means that users are able to see and access data such as auto-saved files, stored data, and their settings.  

Another great feature of Session Sync is that it provides the ability for organizations to turn off the downloading of files by end users.  This can protect against data exfiltration concerns for sensitive data as well as help to ensure regulatory compliance.  

Wrapping Up

As your organization transitions to a more permanent remote work strategy or as you're looking for a secure platform for establishing a digital workspace, make sure the solution you choose takes security seriously.  Cybercriminals are increasingly on the hunt for remote work environments that have vulnerabilities and are easy prey for ransomware or brute force attacks.  

Cameyo was designed from day one with security at the foundation of the platform. Cameyo's founder and CTO, Eyal Dotan, has spent his entire career in cybersecurity. He designed one of the first Host Intrusion Prevention (HIPS) software solutions of its kind, and he holds 12 invention patents in the field of computer security. As a result, Cameyo's entire approach to remote work is centered around security.

With each layer of the solution, security has been given priority in the overall design and execution of the platform. And all this security doesn't come at the cost of simplicity - Cameyo actually automates the complexity out of remote work infrastructure.  With robust security features such as NoVPN, Port Shield, Layered Revert, and Session Sync, Cameyo helps ensure that your remote workers AND your corporate network & data are secure at all times.  

Filed Under: Security, Remote Work, Working From Home, Digital Workspaces, Future of Work